June 04, 2019 / by J Burks / In siem , log-management /

Difference between SIEM and Log management - Everything you need to know

Today, technologies like log management and SIEM are found in enterprise IT environments across the globe. SIEM and log management have a number of features in common, prompting some people to use these terms interchangeably — but they aren’t one and the same. In this article, we’ll take a closer look at the two technologies to understand what makes them unique.

Log management: the generalist

Log management software addresses an organization’s need for a way to store and organize logs easily and reliably. The concept of log management has been around almost as long as logs themselves. However, as the volume of logs generated in contemporary IT environments has grown over the years, so has the need for specialized software capable of handling this task.

In log management solutions, the focus is on storage, organization and retrieval features. The hardware and software in use in any given enterprise may produce logs in a variety of formats, and their contents may be highly dissimilar. For example, web server logs and antivirus software logs have little in common with each other. For this reason, log management software typically has a more generalized feature set. Common features include the ability to retrieve stored logs that match a given set of criteria, produce compliance reports according to various standards and perform basic log analysis.

SIEM: the specialist

SIEM, which stands for security information and event management, refers to technology designed specifically for storing and making use of security-related data. The majority of this data is found in the form of log files, so there is some overlap between SIEM and log management solutions. However, SIEM software incorporates specialized features that are of use to security professionals. These features make it easier to analyze security events and correlate event information from different log sources.

How SIEM works:

how siem works

At the core of SIEM is “log ingestion,” the processing of log data in near-real time. SIEM software is equipped with log parsers that enable it to understand how logs in various formats are composed. These parsers, in turn, make it possible to correlate data from multiple sources almost immediately after it’s generated. Security operations are often time-sensitive, so the ability to quickly reference several sources of related information at once is invaluable in security operations centers (SOCs).

Feature sets vary somewhat from one SIEM platform to the next. On top of the core feature set, centered around processing and analyzing log files, many vendors’ products also include specialized features. For example, automation support is built into a number of modern SIEM solutions. Advanced analysis functionality, including the use of machine learning models, is built into some and available as an add-on for others.

Which one is right for you?

Because each organization’s needs are unique, a SIEM platform isn’t always going to be the best choice. Below, we’ve summarized the benefits of SIEM and log management solutions to help you understand which is the best fit for your environment.

The benefits of SIEM

Choose SIEM over log management if:

  • You need a security-focused solution - SIEM software is designed with SOCs in mind. When implemented well, SIEM makes security work more efficient and more effective.
  • You need analysis and reporting features - By nature, information about a single security event is often split between multiple sources, since different aspects of an event are recorded in different logs. Among others, SIEM log sources include firewalls, antivirus software, and intrusion detection systems. With features that can analyze events across all of these sources at once, SIEM software has a significant advantage over log management software in complex and high-risk IT environments.
  • You need integration with other security tools - Modern SIEM solutions let you take advantage of external sources of information like threat intelligence feeds, giving you a higher level of certainty in making security-related decisions. Tools for UEBA (user entity and behavior analysis) and SOAR (security orchestration, automation and response) are also available out of the box or as add-ons from many SIEM vendors.

The benefits of log management

Choose log management over SIEM if:

  • You need a generalized solution - If a large amount of your log data isn’t security-related, or if your reasons for retaining logs are not connected to your enterprise’s security needs, a log management solution is the better choice.
  • Your main concern is storage and retention - If you don’t need the analysis and reporting features found in SIEM software, and simply want a way to easily organize and store logs, choosing log management over SIEM may help your organization save money.
  • You only need to retain logs for regulatory compliance - Log management software can simplify the process of establishing and demonstrating regulatory compliance. Enterprise log management software makes it easy to set up a log retention policy that complies with legal requirements.

Conclusion

While log management and SIEM have some common ground, they aren’t the same thing. Each one has its advantages, with log management solutions being more appropriate for general use and SIEM software being better suited to security-specific applications and environments. In the end, which type of solution is best for you depends on your organization’s IT environment and its needs.